Skip to main content

References

Academic Papers

  1. Lamport, L. (1978). Time, Clocks, and the Ordering of Events in a Distributed System. Communications of the ACM, 21(7), 558–565.
    The foundational paper that introduced Lamport logical clocks and the happens-before relation.

  2. Ongaro, D., & Ousterhout, J. (2014). In Search of an Understandable Consensus Algorithm (Raft). USENIX Annual Technical Conference.
    The paper that introduced Raft, designed explicitly to be more understandable than Paxos.

  3. Bloch, J. (2018). Effective Java (3rd ed.). Addison-Wesley.
    Item 85: Prefer alternatives to Java serialization. The canonical reference on why Java's built-in serialization is dangerous.

Standards & Specifications

  1. OWASP Foundation. (2021). OWASP Top Ten. https://owasp.org/Top10/
    The industry-standard awareness document for web application security.

  2. IETF RFC 8446. (2018). The Transport Layer Security (TLS) Protocol Version 1.3.
    The definitive specification for TLS 1.3, which underpins our mutual TLS implementation.

  3. IETF RFC 8018. (2017). PKCS #5: Password-Based Cryptography Specification Version 2.1.
    Specifies PBKDF2, the password hashing algorithm used in our PasswordUtils.

  4. Oracle. (2023). Java RMI over SSL. Java SE Documentation.
    https://docs.oracle.com/javase/8/docs/technotes/guides/rmi/socketfactory/SSLInfo.html

  5. Oracle. (2023). Java Secure Socket Extension (JSSE) Reference Guide.
    https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html

  6. Oracle. (2023). Java Object Serialization Specification.
    https://docs.oracle.com/javase/8/docs/platform/serialization/spec/serialTOC.html

Common Weakness Enumeration (CWE)

  1. CWE-502: Deserialization of Untrusted Data. https://cwe.mitre.org/data/definitions/502.html
    The vulnerability class for injecting malicious data that triggers code execution during deserialization.

  2. CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection').
    https://cwe.mitre.org/data/definitions/470.html

  3. CWE-319: Cleartext Transmission of Sensitive Information. https://cwe.mitre.org/data/definitions/319.html
    Sending authentication credentials or sensitive data without encryption.

  4. CWE-306: Missing Authentication for Critical Function. https://cwe.mitre.org/data/definitions/306.html
    A critical function that doesn't verify the caller's identity.

  5. CWE-294: Authentication Bypass by Capture-replay. https://cwe.mitre.org/data/definitions/294.html
    Replaying a captured authentication or operation request.

Tools

  1. ysoserial. https://github.com/frohoff/ysoserial
    A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. Used in our Vulnerability 1 demo.

Course Information

  • Course: CCY3302 / CS425 — Distributed Systems Security
  • Semester: Spring 2026
  • Student: Jana Ashraf Ali — Registration #221010291
  • Lecturer: Prof. Dr. Ayman Adel Abdel-Hamid
  • Institution: [Course institution]

This documentation was built with Docusaurus.